I work at a small non-profit organization with about 55 desktop PCs running Windows XP Pro. The domain controller is running Windows Server 2003. I have a two-part question (note that I'm a bit of a newb when it comes to network administration).

Part 1: Is there some simple way that I can determine which accounts are logged in with administrator rights?

Part 2: Is there a way that I can remove administrator rights from users without sitting down at each individual machine?

4 Answers
4

For part 2, you can create a restricted groups Group Policy, and use that to enforce the membership of the local Administrators group on the workstations. Link that GPO to an OU high enough in AD so that all workstations are under it, and specify a WMI filter for the GPO so that it only applies to Windows XP workstations.

For a quick way to see what accounts are currently logged onto each machine grab a copy of loggedon2 (Google it to find dozens of different download sources).

Both 1 and 2 can be done through scripting. I don't have any links handy but with a little searching you should turn up quite a few examples of remotely managing user accounts through a variety of scripting languages. Some I've seen in the past are very creative indeed.

A more low-tech method to achieve #2 is to pull up compmgmt.msc from the run box, and connect to the other workstations via hostname or IP. Only slightly better than sitting at their desk, and the change won't take effect of course until they log off, but handy if you can't use GP.

You can get the information in #1 by scripting, whatever works best for you - vbscript, powershell, perl. Some creative googling will get you some sample code.